Posted
by
Cliffon Friday September 29, 2006 @06:15PM
from the second-chance-career dept.

Mark Zenson asks: "Understanding the mindset of a hacker and the likes of one may be useful to counter security attacks, but apparently companies still object to hiring former, or even reformed, black hats."
The article asks this question of several executives in the industry and for various reasons, many of them were skeptical to the idea of hiring such people. Would you give black hats a second chance if you were in their position?

What's unfortunate for black hats is that there is a wealth of solid programmers from America, India and Russia (if they can make it here) who are more than willing to do anything. On top of that, they have no criminal background. So even if a Blackhat is more qualified, they're probably just dismissed since a thousand other people are eager for the work and meet the basic qualifications. Unfortunate, but something to think about if you want to delve into the dark side of computers and networks.

eldavojohn, I was agreeing with everything you said up until this point. I'm the moderator for the SecurityFocus pentration-testing mail list and the CTO for a security firm specializing in pen-testing. At the level of skill I'm talking about there is no "thousand other people... and meet the basic qualifications" but a very limited number. That fact alone allows for some wiggle room for companies looking for candidates with a rare high-level skill set. Would I hire someone with a blackhat background? Sure, if they met the criteria you outlined above and played at the level I'm looking for because there aren't that many candidates out there looking for work.

Of course, while I would hope the decision would be a sound one I'd remain wary as it *is* risky... but people can change or grow up. Anyone who has been in the security industry for a good length of time has some skeletons in their closet. I was not always a lily-white scion of responsibility *cough*... but I grew up. Had the mistakes of my youth precluded me from working in the industry I might have turned out to be a very well-dressed, sensitive, thoughtful, extremely hireable burger flipper.

I'm also an ex-blackhat. Back in the day I stayed up late, did my thing, learnt a lot. It was never malicious really, but definately blackhat. I was a curious guy, who didn't have much of a sex life. Getting a sex life was good, but so is curiosity - find a direction for it.

These days I've got degrees, run a security company and have hired several people I knew from the scene who are excellent programmers, professionals, can wear a suit etc. I have also hired several that I suspect were blackhats in the past.

I look for good workers. I test their technical skills in the first interview (via a technical test) and then try and ascertain if they are a dedicated worker.

Would I want an untrustworthy snake, just trying to steal from my business working for me? No. But you can find those in the accounting profession just as easily as computing probably.

Hire smart people, give them responsibility - be loyal to them and expect loyalty.

Sure, I've had to fire people cause they're slackers - but everyone I've hired from the scene is dedicated, loyal, smart and hardworking.

I agree though. Keep your mouth shut, show your skills, curiosity and drive. Things I learnt in the scene have taken me a long way.

A stylish wardrobe is not a reliable indicator of a good worker, especially when we are discussing developers. I myself prefer black T-shirts and cargo pants. I also wear boots because I motorcycle into work. Does that mean my code, productivity, or relations with my co-workers suffers? So far, everything has been smooth.

We have plenty of the "dockers" crowd and even a few that wear a suit once-in-a-while. They are usually not technical types and their worth to the organization is certainly not any higher than mine.

When I was interviewed, two of the interviewers (developers) had actually worn shorts (not the norm but allowed) and asked me if I minded a laid-back environment. I knew then I was in the right place.

I am directly responsible for hiring and managing IT people in RL. Answering the article's question, being a former black hat would not be a factor for discarding a candidate.

Answering your post, you state: "The key to keeping me from hacking the companies assets was to keep me busy."I'd never hire somebody if i'd have to find ways to keep him/her from hacking the company's assets. There is a difference between a former black hat and a black hat that is too busy to hack.